Ethical Hacking Using Penetration Testing

(1)

Louisiana State University

LSU Digital Commons

LSU Master's Theses Graduate School

2014

Ethical Hacking Using Penetration Testing

Bharath Kumar Koopari Roopkumar

Louisiana State University and Agricultural and Mechanical College, [email protected]

Follow this and additional works at:https://digitalcommons.lsu.edu/gradschool_theses

Part of theElectrical and Computer Engineering Commons

This Thesis is brought to you for free and open access by the Graduate School at LSU Digital Commons. It has been accepted for inclusion in LSU Master's Theses by an authorized graduate school editor of LSU Digital Commons. For more information, please [email protected].

Recommended Citation

Koopari Roopkumar, Bharath Kumar, "Ethical Hacking Using Penetration Testing" (2014). LSU Master's Theses. 3238.

(2)

ETHICAL HACKING USING PENETRATION TESTING

A Thesis

Submitted to the Graduate Faculty of the Louisiana State University and Agricultural and Mechanical College

in partial fulfillment of the requirements for the degree of

Master of Science in

The Division of Electrical and Computer Engineering

by

Bharath Kumar Koopari Roopkumar

B.Tech., Jawaharlal Nehru Technological University, 2012 December 2014

(3)

ACKNOWLEDGEMENTS

Dr. Suresh Rai has been the inspirational and wonderful person who introduced me to the world of Networks. I sincerely thank him for the opportunity to work with him. I thank him for immense guidance, patience and moral support towards my completion of master’s program.

My sincere thanks go to Dr. Jerry Trahan and Dr. Ramachandran Vaidyanathan for their consent to be the committee members and for their valuable suggestions in improving this document. I also thank Dr. Trahan for approving the proposal of purchasing new equipment for the lab which helped me for this research.

Besides my advisor and the committee, I would like to sincerely thank Mr. Mark Hovey for providing me financial support throughout my masters. I am thankful to him and Mr. Tim Nguyen-Pham for helping me with computer equipment for my research.

Deepest gratitude to my parents Mr. Koopari Roop Kumar and Mrs. Koopari Padma, and to my family for their love, and blessings. I sincerely thank my dear friend Ms. Krishna Kumari Maddali for all the moral support and guidance.

(4)

LIST OF TABLES

2.1 Tools ... 15

2.2 Frameworks... 16

A1.1 PC Configurations ... 79

A1.2 Router Configurations ... 79

A4.1 Tools Description ... 85

(8)

LIST OF FIGURES

1.1 A Procedure Prototype for Pen Testing ... 2

2.1 Penetration Testing Layout ... 7

2.2 Types of Testing Based on the Concentration ... 9

2.3 Step by Step Pen Testing ... 10

3.1 Scope of BGP ... 18

3.2 The Process of BGP Connection Establishment ... 20

5.1 Lab Topology for Demonstrating Application Attacks ... 36

5.2 Lab Topology for Layer 3 Penetration Attacks ... 37

5.3 Lab Topology for Layer 2 Penetration Attacks ... 37

5.4 Actual Laboratory Setup ... 38

5.5 TCP Syn Flood Attack Script ... 42

5.6 Wireshark Analysis on the Victim ... 43

5.7 Output Indicting Defense to TCP Syn Attack... 44

5.8 Python Code for LAND Attack ... 45

5.9 Wireshark Analysis of LAND Attack ... 46

5.10 Filtered Packet during Defense ... 47

(9)

5.12 Wireshark Analysis of IP Spoofing Attack ... 48

5.13 Nmap Scan Indicating the Active Hosts ... 50

5.14 Python Code for Cam Flooding Attack ... 51

5.15 Wireshark Analysis of Cam Flooding... 51

5.16 Cam Flooding On the Switch Console... 52

5.17 Mac Spoofing Code ... 53

5.18 Wireshark Analysis for Mac Spoofing ... 53

5.19 Indicating Security Violation ... 54

5.20 STP Attack Python Code ... 55

5.21 Wireshark Analysis of STP Attack ... 55

5.22 Switch Port Verification ... 56

5.23 Telnet on the Victim ... 59

5.24 Network Scanning Via Ping Sweep ... 60

5.25 Scanning Using Nmap ... 61

5.26 Vulnerability Scan Using Nmap ... 63

5.27 Dradis and Nessus Results for .Xml File ... 63

5.28 Auxiliary Scan Using Metasploit for Mssql ... 65

(10)

5.30 Logging Into the Target Machine ... 66

5.31 Exploit and Payload Results ... 67

5.32 Windows Server 2003 Exploitation ... 68

5.33 Results for Metasploitable Exploit... 69

5.34 Remote Desktop Connection to the Target ... 70

A2.1 Topology Used to Configure the ASA on GNS3 ... 80

A2.2 Communication between the LAN and DMZ ... 80

A2.3 Security Levels to the LAN, DMZ and WAN Areas in the Network ... 81

A2.4 Topologies Used in CPT to Implement the CCNA Security ... 82

A3.1 Successful Exploit to Windows 2008 Server ... 83

A3.2 Resolving IP Address with DNS Lookup ... 83

(11)

LIST OF ABBREVIATIONS

ACL - Access Control List

AAA - Authentication Authorization Accounting ASA - Adaptive Security Appliance

BPDU - Bridge Protocol Data Units BGP - Border Gateway Protocol CDP - Cisco Discovery Protocol

CCNA - Cisco Certified Network Associate DNS - Domain Name System

DN Sec - Domain Name System Security Extensions DMZ - Demilitarized Zone

DTE-DCE - Data Terminal Equip - Data Communications Equipment DTP - Dynamic Trunking Protocol

EBGP - External Border Gateway Protocol FTP - File Transfer Protocol

GNS3 - Graphical Network Simulator

GNOME - GNU Network Object Model Environment GUI - Graphical User Interface

HTTP - Hyper Text Transfer Protocol IP - Internet Protocol

ISP - Internet Service Provider IIS - Internet Information Services IDS - Intrusion Detection System

ISSAF - Information Systems Security Assessment Framework IBGP - Internal Border Gateway Protocol

ICMP - Internet Control Message Protocol JtR - John the Ripper

LSU - Louisiana State University LAN - Local Area Network

(12)

MTU - Maximum Transmission Unit

NIST - National Institute of Standards and Technology NAT - Network Address Translation

OSPF - Open Shortest Path First

OSSTMM - Open Source Security Testing Methodology Manual OWASP - Open Web Application Security Project

PCI - Payment Card Industry POP3 - Post Office Protocol

PSTN - Public Switched Telephone Network QoS - Quality of Service

QEMU - Quick EMUlator

RAM - Random Access Memory RIP - Routing Information Protocol SQL - Structured Query Language SSL - Secure Socket Layer SMB - Server Message Block SPF - Sender Policy Framework SOA - Service Oriented Architecture STP - Spanning Tree Protocol TCP - Transmission Control Protocol TLD - Top Level Domain

UDP - User Datagram Protocol VPN - Virtual Private Network VNC - Virtual Network Computing VLAN - Virtual Local Area Network VOIP - Voice over IP

WAN - Wide Area Network

(13)

ABSTRACT

This thesis provides details of the hardware architecture and the software scripting, which are employed to demonstrate penetration testing in a laboratory setup. The architecture depicts an organizational computing asset or an environment.

With the increasing number of cyber-attacks throughout the world, the network security is becoming an important issue. This has motivated a large number of “ethical hackers” to indulge and develop methodologies and scripts to defend against the security attacks. As it is too onerous to maintain and monitor attacks on individual hardware and software in an organization, the demand for the new ways to manage security systems invoked the idea of penetration testing. Many research groups have designed algorithms depending on the size, type and purpose of application to secure networks [55].

In this thesis, we create a laboratory setup replicating an organizational infrastructure to study penetration testing on real time server-client atmosphere. To make this possible, we have used Border Gateway Protocol (BGP) as routing protocol as it is widely used in current networks. Moreover, BGP exhibits few vulnerabilities of its own and makes the security assessment more promising. Here, we propose (a) computer based attacks and (b) actual network based attacks including defense mechanisms. The thesis, thus, describes the way penetration testing is accomplished over a desired BGP network. The procedural generation of the packets, exploit, and payloads involve internal and external network attacks.

In this thesis, we start with the details of all sub-fields in the stream of penetration testing, including their requirements and outcomes. As an informative and learning research, this thesis discusses the types of attacks over the routers, switches and physical client machines. Our work

(14)

also deals with the limitations of the implementation of the penetration testing, discussing over the vulnerabilities of the current standards in the technology. Furthermore, we consider the possible methodologies that require attention in order to accomplish most efficient outcomes with the penetration testing. Overall, this work has provided a great learning opportunity in the area of ethical hacking using penetration testing.

(15)

1. INTRODUCTION

How can any organizational network be tested for vulnerabilities in both software and hardware aspects to analyze and potentially strengthen the security? How can a network be secured from the hackers attacking routers and switches to manipulate the services?

This chapter addresses such type of questions with an overview for the need for network security and essentials of penetration testing in the current world with the example network breaches. We also consider the application of Border Gateway Protocol (BGP) and its implementation as in the current internet systems. In brief, this chapter deals with the motivational aspects and provides a brief layout of the thesis.

1.1 Pentester

The network security is one of the major concerns of any information system. As the size of the system grows, the possibility of weak configurations increases which in turn create a security loop hole. Security breaches create many complications. For example, recent Home Depot and Target cyber security breaches have brought them a loss of approximately 60 million card numbers to cyber thieves. Similarly, the network breach over JP Morgan’s bank in the recent past is likely to cause a huge financial loss [18]. These incidents serve as a wakeup call to many big industries all over the world. The need to secure networks for all the individual organizations, irrespective of the size and purpose of the organization, has become much more important as it helps protect their clients’ sensitive information and investments. Providing a secure networking environment against offensive attacks is promising. The demand for the ability of an individual to test a network for vulnerabilities has led to an evolution of a “Pentester” in the recent times [19], meaning a person who performs penetration testing to analyze a specific network. Through penetration testing,

(16)

pentesters can help identify vulnerabilities/threats and provide the most dynamic way of protecting certain networks [20]. Figure 1.1 illustrates this concept.

Figure 1.1: A Procedure Prototype for Pen Testing [40]

1.2 Border Gateway Protocol

Unlike other protocols in the routing systems, BGP is the called layer 4 protocol [38]. Current version of BGP being 4 is widely used by the ISPs for internal routing. BGP runs over port 179 to establish a TCP connection. Note that BGP holds different kinds of protocols together in a system of internet. One of the most concerned limitation of BGP is its high vulnerability [45]. Penetration testing on a network running BGP provides a most appropriate relation to the current infrastructure scenario and also helps for future study.

1.3 Motivation and Thesis Layout

Networks have always been a part of all organizations’ infrastructure enabling software applications such as file transfer, server features, website, etc. to run over it. In the present world,

(17)

irrespective of the size of the organization, networking capability has become an essential requirement. For most people, awareness of networks is limited to having a wireless modem used for household appliances. But without an individual’s interference, networks are preconfigured for the mobile phones, desktop, laptops, etc.

Even though every household and organization involves networks and their applications, there are a lot of concerns regarding their maintenance. One of the most typical but serious issues that every network potentially needs to survive is the security breach. There are network intruders everywhere, ranging from a neighbor exploiting an individual’s wireless setup to targeting international banks and credit card companies for confidential information. For a person, a prior knowledge of the network principles is important to ensure network security. Network engineers and system administrators are always behind these loop holes in the network to spot and fix. But not every flaw in any network is accessible to the network administrator as it requires deeper study of the vulnerabilities and unfixed bugs.

This thesis is inspired by such security issues. The need for better understanding certain network to be able to track down the bug is also a key motivation. There are many challenges in understanding the knowledge-base of weakness and designing a robust network. To be able to test a layout in parallel, study the vulnerabilities, pretentiously attack any network to practically visualize the possibility of intrusion and to finally develop ways and means to provide a security wall are few of those tasks.

Prototyping this kind of defensive mechanism on well programmed open source software from major designers has become relatively understandable. There is a lot of research and equally lot of experts who have developed systems to demonstrate a security assessment. With the help of

(18)

more comfortable. The challenge to demonstrate this kind of infrastructure for performing penetration testing is the main motto of this project. The following network assets count to be major issues in our work;

 Challenge in deploying and creating a network infrastructure replicating real world network using BGP protocol.

 Elaborating the study of vulnerabilities in such type of networks.

 Dealing with physical Cisco routers, switches, Linux and Windows servers.  Exploitation and gaining access to test the stability of the weak network system.

1.3.1 Thesis Goal

In the field of penetration testing, considerable work has been accomplished to educate an ethical hacker in building strong knowledge base using various online tools and virtual software applications. This thesis is aimed to work beyond the software and provide a visually practical and experimental implication of the tough tasks of designing network layout and performing tests. The algorithms, layouts and the infrastructure presented in this thesis provide a bird’s eye view of how a practical network is established with various entities. Also, this thesis focuses on how an attacker could possibly attack the system and how a network engineer could protect the system. Usage of BGP as routing protocol defines a complicated network setup. This work helps elaborate the penetration testing in much more practical manner with more detailing in learning troubleshooting techniques. This thesis would be a strong startup for the information base regarding penetration testing, for students and also for beginners in penetration testing.

(19)

1.3.2 Thesis Layout

The layout of the thesis is as follows. Chapter 2 reviews the concept of penetration testing in detail including a discussion on related tools and frameworks used. Chapter 3 deals with the basics of BGP and also explains the relation to the project. Chapter 4 discusses the related work including the previous achievements and the supportive research that have helped develop the aimed concepts. Chapter 5 starts with the laying out of the network infrastructure and further describes a systematic approach carried out to reach the goal with network layout sketch, screen shots, configurations, code files and block diagrams. Chapter 6 involves a discussion about the research contributions and the challenges faced during the experimentation, with appropriate conclusion statements and likely enhancements of this thesis in future. Finally, Appendix 1 and Appendix 2 provide details about configurations, topology and firewalls. We have also included some additional screen shots for penetration testing in Appendix 3. Appendix 4 lists the description of tools and frameworks used in this thesis.

(20)

2. PENETRATION TESTING – AN OVERVIEW

Penetration testing is a process of systematic testing of hardware and software systems that involve in creating a complicated network for data storage and transmission. It is a method of understanding and evaluating the security ability of a network by simulating pretentious attacks and exploits. This understanding helps in elaborating the depth of the security system of any organization. This chapter considers all the different types of penetration testing based on the type of approach and also on the type of concentration. An overview of the different phases of penetration testing is described with block diagrams. Further, a description of the various tools that a pentester used are briefly listed. Towards the end, objectives and benefits of this testing methodology are explained.

2.1 Basic Concepts

“Penetration testing is the simulation of an attack on a system, network, piece of equipment or other facility, with the objective of proving how vulnerable that system or “target” would be to a real attack [24]”. This process is carried out by a potential ethical hacker. In simple words, it is the procedural auditing of the security features of an established network or application.

Based on the type of approach, penetration testing is classified into three types [23], namely Black box, White box and Gray box. Figure 2.1 illustrates the scope of this classification scheme. This also narrows down the classification into two major types i.e. external and internal. In simple words, it depends on whether the attacker system is inside the network or is targeting from outside the network.

(21)

2.1.1 Black-Box

The Black-Box penetration testing is the most practical attack that a tester implements without having any prior knowledge of the target systems. It is the most effective way to evaluate a system for its security controls [23]. In simple words, the penetration tester would have no access to any sort of information regarding the network, making a real world type of attack. This eliminates the application type, location of the network, types of physical equipment, etc. The attacker has to study the target completely from scratch in a systematic way to reach his goal. The aim of the black box attack on a network is to study the cyber warfare attack completely.

(22)

2.1.2 White-Box

The White-Box provides a formal way of testing certain infrastructure as the tester is provided all the basic information that understands the network layout, IP address and the application details [22]. With this basic knowledge of the target network, the tester would be able to infiltrate the network’s infrastructure with the key goal to mitigate the weak points. The tester basically works from inside the network and establishes concrete base to setup a strong system. In simple words, the tester and the organization work hand in hand to enable a tough security system.

2.1.3 Gray-Box

By the name, the Gray-Box is the combination of white box and black box types of penetration testing. Here, the tester is partially provided with the target system’s infrastructure. This type is not popular in the usual classification [23]. The available information may include the server IP address or the source code of the application. The tester might not always test the system from inside the network, rather pretend to be a hacker to test the robustness of the network environment.

Furthermore, based on the assessment requirements, penetration testing typically can be divided into four types [26]. Figure 2.2 illustrates this classification scheme.

a) Applications

Applications based penetration testing is mainly the focused on the vulnerabilities in the data monitoring applications along with the firewall security issues. Also, the client-server communication based applications that transfer information to sources might have critical loop holes that count big for the target system. In the current scenario, a lot of major web-based

(23)

applications have wide proven vulnerabilities that are yet to be mitigated. These aspects are concentrated while testing the network for its security using penetration testing.

Figure 2.2: Types of Testing Based on the Concentration [42]

b) Network

Network based penetration testing is one the major aspects in performing a testing over an organization’s network. Based on the scale of the organization, the physical network might reflect security gaps that usually go unnoticed during the setup. To ensure an unbreakable network and maintain a strong back bone, penetration testing is performed on routers, switches, modems and hubs to fill in the gaps. It is a process where a tester ethically attacks the network operations in an organization to find flaws, vulnerabilities using exploits and aims to patch and fix the loop holes.

c) Physical

The scope of weakness in this area would be the unauthorized physical access to the target machines in an organization. Authentications and restricted access are thoroughly reviewed and tested while dealing with the physical technique penetrating testing. This plays a major role as it

(24)

helps gather information of the target system in a much more comfortable way of physically being inside the network. This is concentrated to synthesize the effectiveness of the authorization authentication and access to the physical systems.

d) Social

Social engineering targets on the social websites that can easily be reached using Google and other engines. With the high social exchange over websites like Facebook, LinkedIn and Twitter, a huge amount of information is being shared that could be a starting point of the attackers to build on. Also, public meetings, human interaction are the main weaknesses that are focused on by the attackers [25]. This particular field of penetration testing is useful to evaluate the unauthorized access to the confidential information.

2.2 Systematic Approach

A successful penetration testing methodology is the integration of a step by step procedure that a tester has to follow. Our work is illustrated in the same manner as the steps involved in this methodology. Figure 2.3 illustrates these steps.

(25)

From the figure, the steps can be further amortized into six stages for better understanding as follows:

2.2.1 Planning and Preparation

Depending on the type of the penetration testing, planning and preparation is the first phase and could be a general meeting among the owners of the organization and the testers or a complete background of the target network. This is usually the approach a tester follows to familiarize the organization regarding every single approach and method that would be involved during the procedure with a lucid aim and scope [27]. Simply it’s the phase where the tester gets to know about the target system’s background and scales his methodologies with a major objective to exploit all possible vulnerabilities and provide a mitigation method to most of those with genuine detailing. This agenda also involves the privacy policy agreement, deadlines, and scheduling.

2.2.2 Information Gathering and Analysis

This phase, otherwise called as “Reconnaissance,” involves gathering information regarding the target. With the knowledge acquired during the planning and preparation phase, the tester in this phase sets a platform to gather network and application information of the organization’s system as much as possible. This phase needs clear understanding with proper management so as not to consist of intuitions and guesses. This phase plays a major role in the penetration testing as the amount of information gathered would be proportional to the amount of successful exploits. The main aim of this phase is to analyze the network layout for IP addresses, server names, applications that maintain a database, contact information, and study possible vulnerabilities based on the software [28]. The information can be gathered using the online sources that involve news channels, websites, social media and also by using Linux tools.

(26)

This can be further divided into passive and active based on the method of acquiring information. Passive is when information is gathered by searching online and researching on the background of the organization, without interfering with the organization itself. Active is when the process involves the interaction with the organization like banner grabbing.

For example: If the target system is LSU, the attacker can very easily find out the website on Google by just making a search about LSU. With the website, getting the server name, domain names, Internet service provider, the IP address and the range of the host names, operating systems, database application and the security level can be analyzed using a variety of open source tools that are available free of cost online. We shall discuss more about this in the following pages of this write up.

2.2.3 Vulnerability Detection

This phase is otherwise termed as Scanning, as it involves scanning the network based on the information that is available and the respective tools. Elaboration of this phase completely depends on the tester as the vulnerabilities of operating systems and applications are always existing, and the manufacturer works to fix these bugs from time to time. A detailed knowledge of the vulnerabilities in various platforms is very essential to perform this phase successfully [29]. It can be further divided into three major areas based on the type of scanning that is being performed [30].

i) Network Scan

This area concentrates on knowing information regarding all the host machines that are on the network. This scan involves scanning the network’s server to gather information of individual hosts on the network. This scanning helps the tester identify the IP address, operating system, and server information. Ping sweep is the most general way to accomplish this type of scanning.

(27)

ii) Port Scan

Once the tester acquires information about a specific host, the port scanning helps identify the open ports on the system and the applications that are actively taking part in the host maintenance.

iii) Vulnerability Scan

This scan helps spot possible vulnerabilities in the host machine’s operating system or the server applications or the ports that are open for the various protocols.

Scanning phase paves a path to be able to perform attacks on the vulnerable system and/or network.

2.2.4 Penetration Attempt

Here the tester accumulates all the possible packages that suit for exploitation of the type of the vulnerabilities examined during the vulnerability scan. With the scans resulting in open ports, application designers, and operating system information, the tester sends out exploits followed by payloads to run on the host machine timely to ensure the success of the exploitation [31]. During the process, the tester has to populate the packages with all the available information including the target machine’s IP address. The successful exploitation brings a consensus on the security level of the organization’s network layout.

2.2.5 Analysis and Reporting

If the penetration testing is performed officially for an organizational purpose, clean documentation needs to be provided as the result of the process. This is termed as the Analysis and Reporting phase, wherein the tester lists down all the procedures and methodologies that were used to perform all the above phases including the mitigation and security level scoring. This

(28)

documentation comes in very handy to analyze the vulnerabilities and watch for attacks over these for expanded security. Also, for future reference this would help in the information gathering phase.

2.2.6 Cleaning Up

After the whole procedure of exploring vulnerabilities and providing a mitigation methodology, a reverse procedure to clear all the modifications is mandatory, as the organization would not want any trace of the path paved towards vulnerabilities and the applications that are run on the target systems. This is basically undoing the setup, demonstration and exploitation.

Implementation of this systematic approach helps achieve the most efficient penetration testing outcome.

2.3 Tools and Frameworks

For the purpose of offensive security, there are many tools out in the market that help penetration testers and network managers to test and build a secure network layout. Most of them are free, open source tools developed for the purpose of ethical hacking and are specifically designed for usage with Linux machines. Different phases of penetration testing can be accomplished using suitable tools. There are scanning tools, testing tools, working platforms, vulnerability detection tools, etc. Among those are the list of the tools in Table 2.1 that we have used to demonstrate this security assessment. A detailed description of their usage and sources are tabulated in Appendix 4.

(29)

Table 2.1: Tools

No Tool Reference Type

1. Brutus [10] Password cracker 2. Dradis [48] Scan report organizer 3. DNStuff [11] DNS report generator 4. Hydra [49] Password cracker 5. Hping [13,14] Packet crafter 6. John the Ripper [17] Password cracker 7. Kali Linux [1] Offensive OS 8. Metasploitable [50] Vulnerable OS 9. Metasploit [2,3,4] Security project 10. Maltego [51] Network visualizer 11. Nmap [7] Network scanner 12. Netcraft [8] Scanning Website 13. Nessus [15,16] Vulnerability scanner 14. Netcat [12] Network utility

15. Python [52] Programming language 16. Scapy [53] Packet crafter

17. Ubuntu [6] Linux flavor 18. Wireshark [54] Packet analyzer

(30)

Also, there are various frameworks that pentester adapts for security assessment. These frameworks are widely accepted as they meet requirements of industry standard frameworks [34]. Table 2.2 lists the most commonly used frameworks.

Table 2.2: Frameworks

No Framework Reference Type

1. WASC [34] Web Application Security Consortium

2. OSSTMM [34] Open Source Security Testing Methodology Manual

3. OWASP top 10 [34] Open Web Application Security Project

4. ISSAF [34] Information Systems Security Assessment Framework

5. NIST [34] National Institute of Standards and Technology

Also, some of the most widely assessed vulnerabilities using these frameworks include the following [34].

 Sql injection  Hidden backdoors  Cross site scripting  Cross test request forgery  Command injection  Bypassing authentication

The above listed vulnerabilities are difficult to trace but are inclined to the absolute usage of frameworks. Most network security companies employ pentesters based on their ability to exploit these vulnerabilities.

(31)

2.5 Objectives and Benefits

Penetration tests on a large scale are beneficial in tracing critical vulnerabilities on any organizational network, helping individual companies to either advance their technology or enhance the security by mitigating the loop holes. The main objectives of a successful penetration include security incidents identification, determining the ease of the vulnerable aspects, and examining the extent of reachability. Benefits include proving the status of network infrastructure with detailed reports and identification of critical network points that are attack prone. These tests performed regularly protect an organization’s security potential [37].

2.6 Conclusion

Penetration testing on the whole is a creative invention, upholding the network security. Collaboration of the built in packages in the various tools on a suitable platform will help testing procedure have a robust impact on any network. With quality objectives and supportive environment, penetration testing is surely the highest level of network security assessment. A complete penetration testing methodology is the one that follows a systematic approach. We in this thesis follow this procedure aiming to ethically gain access to different operating systems to demonstrate a pentester’s view of network security assessment. Though the penetration testing displays limitations of data loss and the domain chaos, these completely dependent on the pentester and not the procedure itself.

(32)

3. BORDER GATEWAY PROTOCOL

BGP is an abbreviation for Border Gateway Protocol. It is an inter-domain (layer-4) routing protocol also termed as distance vector protocol. The concept is to divide the large Internet into small autonomous systems enabling efficient routing [32]. In these autonomous systems, the layer-3 routing scheme is used to carry the datagram. BGP connections run on port 179 TCP. Exterior gateway protocol is predecessor to BGP. Based on the links between routing equipment, BGP is classified into two kinds [32]. Figure 3.1 illustrates this concept.

Figure 3.1: Scope of BGP

IBGP: This is called Internal Border Gateway protocol and describes the running of BGP

internally within an autonomous system (AS).

EBGP: This is called External Border Gateway protocol and describes the running of BGP

(33)

3.1 BGP Attributes

BGP attributes lie in the details of its path attributes and the types of messages peers exchange during connection establishment.

3.1.1 Path Attributes

Path attributes used in BGP are based on the type of functionality and are as follows [47].

Origin: This defines the origin of the routing information. It comprises three values: 1, 2

and 3, based on the information learned from the intra-domain routing such RIP or OSPF, or learned from other BGP or learned from an unknown source.

AS-Path: This defines the list of autonomous systems that fall in the path from source to

destination.

Next-Hop: This defines the next router in the path to which the data packet is being

forwarded.

Mult-Exit-Disc (MED): By the name, this is used to define multiple exit paths to a

particular destination. The lowest MED is prioritized.

Local_Pref: This value is defined by the administrator depending on the routing policy

being implemented. Preference assigns values to the routes.

3.1.2 BGP Messages

BGP4 establishment typically undergo four types of messages for communication among the Autonomous systems [33]. These messages are shared between the BGP peers in the process of establishing a route in the network. Each message has its own specific meaning resembling a phase of the interface. Figure 3.2 illustrates the same in a flow chart manner.

(34)

Figure 3.2: The Process of BGP Connection Establishment [44]

Open: BGP opens a TCP connection and sends an open message to ensure neighborhood

relationship. Once a router receives open message, the router evaluates authentication, autonomous system number, etc. Unless the information carried is erroneous, a keep alive message is sent back.

Notification: The BGP speaker sends out a message whenever there is an error in

connection establishment. It could be regarding the autonomous system number, IP address error or anything else.

Update: The update message is for the router to withdraw destinations that have already

been advertised. As the router receives an update message, it automatically updates the BGP routing table.

Keep Alive: This message is the code of confirmation among the BGP speakers to

(35)

3.2 Conclusion

With this brief study of the Border Gateway protocol, the importance is well understood. Its application in this thesis is seen in Chapter 5 of implementation. We have used BGP as the major routing protocol in the network for penetration testing. The reason for choosing BGP is its application on the Internet. Also, BGP is widely used in the current routing mechanisms, making it the best suite to replicate the real world scenario. Furthermore, the vulnerabilities, like intercept Internet traffic discovered in BGP makes its application more interesting for future work [46].

(36)

4. RELATED WORK

With the aim to research on the security configurations and applications over Cisco devices in a LAN/WAN/VLAN network, we have studied and worked with three major Cisco tools. To test security features on router, switch and firewall using virtual machines, these tools are the best way to start off. The following are the tools that were initially reviewed to work virtually with Cisco equipment.

 Cisco Packet Tracer

 Graphical Network Simulator  Cisco Configuration Professional

4.1 Cisco Packet Tracer

We have used Cisco packet tracer to define the CCNA security terms and the mitigation algorithms over a switch and a router. The security is aimed to defend against the attackers. The attackers are both from inside and outside of the network. Attacks from outside are basically kinds like brute-force, password hacking, etc. The attacks from inside are also of huge concern. Possible threats from inside the network could be as follows.

 Usage of switches included in the network  Accidental usage of an infected laptop

 Enabling remote communications that open a hole for broadcasting  Attacker is adding a switch or wireless access point.

These can be widely classified into two major attack types: (a) Access attacks to switch/router and (b) LAN attacks.

(37)

4.1.1 Access Attacks

These include the type of attacks that let the attacker access the devices through the management loop. Switch/Router access control security needs to be enabled to secure the devices inside of any network. A detailed analysis of the basic access attacks is as follows.

Firstly, AAA framework is key to improve the client side security to restrict unauthorized access. AAA stands for Authentication, Authorization and Accounting [57].

i) Authentication

This deals with the individual’s user accounts and passwords, providing authentication to gain access to the equipment.

Router (config) # username ******

Router (config) # username ****** secret *******

ii) Authorization

This deals to set different levels of privilege depending on administrators and the users enable privilege level 15.

Router (config) #ip access-list standard 1 Router (config) #permit **. **. **. ** Router (config) #login quiet-mode access-class 1

iii) Accounting Logging

This helps to log all the login attempts on the asset from start to shut, providing a way for the administrators to maintain continuity files for security.

Router (config) #login on-failure log Router (config) #login on-failure log

(38)

Further, there are also other aspects such as physical security, password complexity, and Ethernet port security that help secure a network setup. Though these seem to be trivial, for an attacker this acts as an extra layer of penetration.

iv) Physical Security

This provides security at the console port with a password to enable the router. Router (config) #line console 0

Router (config-line) # password ****** Router (config-line) # login Router (config-line) # no login

Password encryption and strength provide a perfect complexity to decrypt and crack helping to maintain and restrict users having weak passwords.

v) Encryption

“Show run” command in the usual scenario displays the password that is being used to login into the console and others. Encryption is required to have a strong password. Md5 and level7 security can be used for this purpose as follows.

Router (config) # service password-encryption

This enables type7 encryption. But type7 is not secure anymore as there are open source tools and websites that easily decrypt this sort of encryption. On the other hand, md5 encryption is much more secure.

Router (config) # enable secret *********

vi) Strength

To have more specifications over the password to have a minimum number of characters including case sensitive and symbols usage, the following needs to be configured.

Router (config) # security passwords min-length 10

(39)

Further, timeout on the router can be modified from the default of 10 minutes to 4. Router (config-line) # exec-timeout 2

Router (config) # login block-for 180 attempts 5 within 120

Login attempts are configured as above setting a limit to 3 minutes for a maximum of 5 attempts within 120 seconds to have more severe strengthening of logging. This fights against brute-force and dictionary attacks.

vii) Ethernet Port

Lastly, to remotely access into the router using telnet/SSH/AUX, a few configurations on Ethernet help maintain credible security. Also setting the enable password helps,

Router (config) #line vty 0-4 Router (config-line) # password ******

Router (config-line) #login

Router (config-line) # enable password ******

4.1.2 LAN Attacks

For this record, we have considered the LAN attacks on layer 2. The type of attacks that an attacker might aim at weak LANs are VLAN hopping, spoofing attacks, DHCP attacks and ARP attacks. To restrict this type of attacks the following individual ports configuration helps.

i) DTP and VLAN Configurations

Attackers try to get access to a switch to jump to other VLANs on the network. These type of attacks let attackers broadcast domains. To not let attackers hop DTP is disabled.

DTP, in most of the Cisco devices, is automatically enabled. DTP allows ports to auto negotiate into auto mode into the trunk. If an attacker identifies this trunk, connection to the port and sending trunking protocol automatically lets switching into the trunk.

Switch (config) #interface range fa0/1-24 Switch (config-if-range) #switchport mode access

(40)

Manually configuring modes for access, will not let ports turning into trunks. Trunking also will be turned off by this negotiation. And creating VLAN25 which is unused, makes the guess of the VLAN ID much complicated.

Switch (config-if-range) #switchport access vlan 25

It is suggested to not use default VLANs, but, by default all Cisco switches start as members as manage VLAN and native VLAN in VLAN1. We need to move VLAN1. Configure switch ports to not be configured to VLAN1. Native VLAN1 is used for backwards compatibility. VLAN hopping technique is double tagging. When a packet goes from native VLAN trunk, VLAN ID is stripped from the packet. If you have 2 IDs, the first will be stripped, the second will remain and now the packet ends up on the other side with the 2nd ID.

ii) STP

STP is enabled by default on the switches. When we have multiple switches and have the possibility of switching loops, attacker could manipulate packets and configure STP to become Route Bridge to get all spanning tree configurations.

Switch (config-if) #spanning-tree portfast Switch (config-if) #spanning-tree bpduguard enable

Access ports need portfast enabling to allow to move from blocking to forwarding mode with listening and learning. So, “bpduguard” will shut the bpdu not to make the ports trunk.

iii) CDP

CDP is enabled by default. It is a layer two protocol, with a lot of information of neighboring switches. It can be used as reconnaissance to find out about other switches and routers.

(41)

We need to disable CDP by default. The following command will shut down CDP. CDP is useful only for VOIP in GNS3.

Switch (config-if-range) #no cdp enable

Switch port security is necessary to help defend against broadcast storm. Addition of storm control measures that will broadcast all switch ports will cause DoS LAN broadcast storm attack. Storm control is disabled by default, so we need to enable it. From the command below, if broadcast packets go past 70% of available bandwidth, the port will shut down.

Switch (config-if-range) #storm-control broadcast level 70

iv) Port Security

Mac Address spoofing is someone imitating mac address of other devices on the network. Port security will enable only one mac address allowed.

Switch (config-if-range) #switchport port-security maximum 3 Switch (config-if-range) #switchport port-security violation shutdown

This configuration shuts down the port. It will also protect/restrict further access to the port until reconfiguration.

Mac address overflow attack is when the switch is allowed to be bombarded with packets and mac address, the switch will try to save in the table with too much information piling up causing overflow. This broadcasting of all ports, making it a hub for the attacker to all ports causes an overflow attack. Allowing only one mac address with no new devices will help restrict this attack. Port security is disabled by default.We need to enable it.

(42)

This helps enable the switch to remember or learn on the port. Also to age switch out, the following has to be configured.

Switch (config-if-range) #switchport port-security aging time 200

v) Trunking Ports

To turn the ports into trunks manually and allow to go across these trunks. Also, to set native vlan to VLAN91 instead of VLAN1, the following is configured.

Switch (config-if-range) #switchport mode trunk Switch (config-if) #switchport trunk allowed vlan 20,60,40,91

Switch (config-if) #switchport trunk native vlan 91 Switch (config-if) #switchport nonegotiate Switch (config-if) #spanning-tree guard root

The above configuration helps enable root guard on STP root ports which in turn help to protect Root Bridge. If packets are sent to switch for bpdu use, do not allow it.

Hence, we have achieved manually configure all user ports, trunk ports and port security on access points, enable portfast, BPDU guard on all access ports and root guard on STP root ports, disable unused ports, DTP on all trunk ports, CDP on all ports. All these functionalities can be visualized on the CLI using “show interface” command.

4.2 Graphical Network Simulator 3

We have used this particular tool to configure ASA and build a topology to visualize the working of the firewall practically. Adaptive security appliance is a multipurpose firewall. The ASA firewall denies traffic that is coming from outside.

(43)

Three major features are as follows [56].

 Stateful inspection, this is when a user goes onto a website online, the ASA firewall remembers the user’s information in a Stateful session table and checks with the reply that is coming from outside. It is not going to deny this reply and allow communication.  Packet filtering functionality on ASA firewall allows traffic from the exceptions made on

it.

 VPN support (SSL/IPsec): This helps build a VPN to protect the confidentiality of the data traffic that is being transferred over the network.

Usually, the default security levels of the inside and the outside setup of the network are 100 and 0 with ASA firewall.

In building ASA firewall on a topology, we have used GNS3 (graphical network simulator) to be able to use a virtual PC simulator. Also, the console in the GNS3 is putty by default. We have preferred using secureCRT for this process. Once the installation of GNS3 is accomplished, the IOS images for the router 2600 and 3700 have been deployed.

4.2.1 ASA Configuration

The test settings are checked to be successful under the QEMU settings on the GNS3 application to enable ASA firewall on GNS3. On ASA tab, with a name, RAM, initrd and Kernel files have been deployed. Followed by feeding the QEMU options and Kernel command line [21] with the following respectively.

 -vnc none –vga none –m 1024 –icount auto –hdachs 980, 16, 32

(44)

After the deployment of ASA firewall on GNS3 tool, SecureCRT is enabled.

Next, we have a virtual PC simulator that comes with the GNS3 package. Installing and operating virtual machines on this tool is just like any other virtual machine. All the settings on the virtual machine are configured prior to that of simulating the topology as the changes in the virtual box would only be reflected on the tool after a system reboot.

For the topology we have chosen, four virtual PCs with windows XP, Ubuntu and two windows 2003 R2 servers are involved. These machines are left disconnected from the Internet and the networking addresses on these are configured to be working on the topology. The addresses include IP address, DNS information and the gateway through the network settings. Also, the virtual Host-only Ethernet Adapters are manually added to reflect on to the main system that which is running GNS3. Also on the network settings in the virtual box, the Network adapter is manually configured using the same notation as in the main system to maintain synchronization.

With successful configurations of GNS3, Virtual box, secureCRT setup and ASA configuration, the topology is built. In a basic ASA, the three zones that involve to describe it most effectively are the LAN, WAN and DMZ [56]. With LAN counting to be the inside network, WAN as the outside network and the DMZ as the Demilitarized Zone. LAN and DMZ interfaces on the virtual box are setup with the proper coordinative configurations.

To build the topology on the GNS3, drag the ASA firewall, routers 3700, Ethernet switches and clouds. Clouds are used as media of communication for the host machines to the devices. The three clouds are named LAN, WAN and DMZ, respectively. Further, we have the configuration on these nodes with the Ethernet ports on the main machine to sync with the machines that we are looking forward to communicating with. Once all the elements are brought on the workspace on

(45)

GNS3, the connections with the proper orientation are made using the regular cable. The console ports on the devices and the ASA device have been synchronized on the secureCRT accordingly.

Similar to that of the Cisco Packet tracer, once the topology is ready, debugging and configuration is followed. Configuration steps on ASA are as below.

Ciscoasa >enable (to enable the ASA)

ciscoasa # configure terminal (get to the ASA privilege mode) ciscoasa (config)#hostname ASA ( give a name to ASA)

ASA (config)# mkdir (creates a directory) ASA (config)# mkdir NAME (names the directory)

ASA (config)# copy running-configuration disk:0/NAME/(copies conf on that directory) ASA (config)# copy disk0:/NAME/running-configuration disk:0/NAME/startup(to launch on start-up

ASA (config)#boot config disk0: /NAME/startup (this is saved and on startup) ASA (config-if)# interface e0

ASA (config-if)# IP add 10.1.0.254 255.255.255.0

Similarly, configure the other two interfaces on ASA with ASA (config-if)# IP add 192.168.5.254 255.255.255.0 ASA (config-if)# IP add 100.1.0.254 255.255.255.0

ASA (config-if)# nameif inside (to determine the security level of inside network as 100) ASA (config-if)# security level 40 (manually assigning security)

ASA (config-if)# nameif outside (to determine the security level of outside network as 0)

Enable the http on the machine to be able to work with the ASDM.

ASA (config-if)# http 0 0 inside (to enable all the inside networks for http from remote host)

(46)

IP address on R1 is a  200.0.0.1 on fa0/0  250.0.0.1 on fa0/1 Similarly, on R2  250.0.0.2 on fa0/1  150.0.0.2 on fa0/0

Now that the devices and the clouds are configured, the ping from any of the systems in the topology would successfully ping the machine. Be it the DMZ to LAN (or) DMZ to ASA (or) LAN to ASA. Also with the security features configured on the firewall, the incoming traffic is managed in synchronization to that of the outgoing traffic.

Further, to manage the ASA firewall using ASDM is also determined. Initially, transfer the ASDM image to ASA so that ASDM running on the computer can manage ASA.

“Copy tftp flash:” (command to copy ASDM image) “Show flash:” (to check the flash for verification)

To set this image for the ASA use “asdm image flash:”. ASDM is on a virtual machine to check the communication and further manage. Startup wizard, configuration of interfaces and specifications would finish the setup with privilege authorization. The NAT/PAT, AAA rules along with the filtering servers, etc., are modified and tested over the ASDM.

Now on the browser in LAN, the IP address with HTTP enabled, lets ASDM run on the browser. This indicates and enables configure the ASDM to be able to manage ASA. Further, the ping from the DMZ and the LAN interfaces have been checked.

(47)

4.3 Cisco Configuration Professional

This is a real time tool that lets the administrator configure Cisco routers manually without having to use the command line. It is more dynamic and easy.

It offers the following features [39]:

 One-click router lockdown

 Innovative voice and security auditing capabilities to check and recommend changes to router configurations

 Monitoring of router status

 Troubleshooting of WAN and VPN connectivity issues.

The two major concentrations are monitoring and configuration of the devices. Through the configuration tab on the tool with the devices connected, we can configure an interface, manage security criteria over the router, or configure voice and monitor.

4.3.1 Configure

 Interface configuration: interfaces, serial, DSL, analog and digital trunks.

 Router configuration: hostname, banner, static and dynamic NAT, QoS, net flow, dynamic and DNS.

 Security configuration: Security firewall and ACL, VPN, AAA, web filter.

(48)

4.3.2 Monitoring

Monitoring checks the current status of a router and manages the routers by picking the devices. This will provide an overview of the router with memory utilization and the firewall and security features. We have implemented the same topology as that of the GNS3 with minimum devices to work on the ASA firewall and the advanced security options.

We have used this tool to perform the basic security tests on the Cisco equipment. The aim was to enhance security in a network over VOIP, INTRANET, and INTERNET. Further, aimed to deploy and decide on the best security methodologies.

All the screenshots of topology and working environment related to this chapter are displayed in Appendix 2.

(49)

5. IMPLEMENTATION

A detailed description of the laboratory results of the penetration testing phases explained in the introductory chapters will be discussed in this chapter. This involves screenshots of different stages of performing tests with appropriate description. Implementation of BGP to design a working laboratory network is illustrated. Also, the steps involved in different stages of the network penetration testing procedure will be explained using python scripts, socket programming, and command and screen captures of various tools with a detailed lab infrastructure setup.

For the purpose of application penetration testing, we have considered elaborating one case of using Windows XP as the target machine. The rest of the operating systems and the exploits that we have worked on are attached in Appendix 3.

5.1 Laboratory Setup

A network lab is setup which has multiple routers, switches and operating systems. Cisco 1841 and 2611 series routers and Cisco 2950 switches are used in the Lab. A WAN network environment is designed by connecting serial interfaces on routers using DTE-DCE Cable and T1 RJ48C cables, respectively.

Figure 5.1 shows an infrastructure replicating a real world organizational network layout set using BGP routing protocol involving autonomous systems. It can be clearly observed that the topology involves both IBGP and EBGP configurations amongst the peers. Individual machines and Cisco equipment are configured as indicated in the Appendix 1. Also, configuration steps, BGP peers and IP routes are shown in Appendix 3. For this lab, we have used BGP-4 as the running protocol on the routers as BGP is currently used by both ISPs and local networks.

(50)

Figure 5.1: Lab Topology for Demonstrating Application Attacks

Since it is a lab infrastructure, having a domain with a world wide web was not possible for various reasons. So we have configured local domains on Windows server 2003 and Windows server 2008 machines. Routers and switches are configured with the basic network configuration commands using BGP involving three autonomous systems as shown in the figure using hyper terminal. These devices with the computers form a network and are checked to ping each other. In the lab setup, Linux and Ubuntu machines are attacking machines, and the rest of the Windows operating systems and Metasploitable are the victims.

Figure 5.2 and Figure 5.3 are the other network topologies we have used for better understanding of the basic network security features and routing protocols. Utility of Cisco 2600 routers is predominant in these two assessments.

(51)

Figure 5.2: Lab Topology for Layer 3 Penetration Attacks

Figure 5.3: Lab Topology for Layer 2 Penetration Attacks

The routers and host machines in Figures 5.2 and 5.3 are configured as displayed in the respective figures.

(52)

Figure 5.4 is displays the actual setup in the laboratory. This clearly shows various desktop machines, routers, switches, cables, etc. Starting top left, Windows 7 laptop, 1841 routers stack showing front panel, Windows XP desktop, Ubuntu 12.04 desktop, Windows 2008 Server, Windows 2003 Server, Kali Linux desktop, Routers showing the connections made using RJ48 straight through cables and the panoramic picture of the lab. This panorama also includes Cisco 2950 switches, Cisco Catalyst 7000 series routers that we have used for understanding purposes.

(53)

5.1.1 Procedure

 Connect the routers using suitable cables.

 Connect the LAN interfaces of the routers to the appropriate switches.  Connect the PCs to the switches.

 Configure the IP addresses for the PCs and the routers as detailed.

 After successful configuration, the PCs should be able to ping each other.

Note: The configuration for the 1800 series routers and 2600 series is different as the interfaces vary and so does the Cisco OS. The following steps explain a basic router configuration.

Router Configuration Outline

Router>enable # Go to the enable mode on the router Router#configure terminal # Go to config mode

Router(config)#hostname R1 # Configures the hostname as R1

R1(config)#interface fastEthernet 0/1 # Go To the LAN interface of the router R1(config-if)#IP address 192.168.1.1 255.255.255.0 # Configures the IP address

and subnet mask

R1(config-if)#no shutdown # Enable the interface R1(config-if)#exit # Exit from interface mode

R1(config)#interface serial 0/0 # Go to the serial interface of the router R1(config-if)#IP address 10.0.0.1 255.0.0.0 # Configures the IP address of the

interface

R1(config-if)#clock rate 64000 # Configures the clock rate as this is the DCE end. R1(config-if)#no shutdown # Enable the interface

R1(config-if)#exit # Exits from the mode

R1(config)#IP route 192.168.2.0 255.255.255.0 10.0.0.2 # Configures a static route for reaching the 192.168.2.0 network from the 192.168.1.0 network.

Also, for routers to enable and assign BGP and its peers, the following needs to be configured.

R1#conf t

R1(config)#router bgp AS-num

R1(config-if)#neighbor **.**.**.** remote-as AS-num R1(config-if)#network **.**.**.**

(54)

PC Configuration

The TCP/IP adapter of the Linux and Windows PCs are configured as shown in the topology, with an IP address, subnet mask and default gateway. These are configured accordingly based on the operating system as it is completely different.

In a Windows PC, TCP/IP network adapter is configured directly from the control panels listing. Whereas in a Linux based machine the configuration of IP address is done with the following command in the terminal, followed by editing the script.

$ sudo nano /etc/network/interfaces

5.1.2 Tools and Services on PCs

This section lists down the various tools and frameworks that are deployed operating systems to conduct the experimentation.

Ubuntu  Hping  Scapy  Python Kali Linux  Nessus  Maltego  Dradis  Metaspolit Windows XP  Hyper terminal  Wireshark  Tftpd 32 server  .Net framework  Mssql  SSMS

(55)

Windows 2008 Server

 Active Directory Domain Services  DHCP Server

 DNS Server  File Services  Web Server (IIS) Windows 2003 Server

 Active Directory Domain Services  DHCP Server

 DNS Server  File Services  Web Server (IIS)

5.2 Network Penetration Testing

This is the back end study of a network that involves analysis of routers and switches and their vulnerabilities. This study understands the penetration testing methodology for testing different types of layer 2 and layer 3 attacks and vulnerabilities on a network using packet generation and crafting tools like Hping, Scapy, and python. The anatomy of different types of layer 3 attacks like TCP Syn flood, Land attack, IP Spoofing and layer 2 attacks like cam-flooding, mac-spoofing and STP based attacks are understood. The code/script that is required to generate the attacks with the appropriate tools is analyzed. Security features like ACL, port-security, STP BPDU Guard and configuration required to defend against the attacks are verified. A lab infrastructure is set with Cisco routers and switches, where the WAN network environment is simulated using T1 and DTE-DCE cables on Cisco routers and with multiple LAN networks. One LAN network would be used for generating the attacks, and the other WAN network would be used to analyze the anatomy of the attacks using packet analyzers like Wireshark and router/switch console outputs.

(56)

5.2.1 Layer 3 Assessment

In this section, we provide a detailed description of attacks that are possible over a Layer 3 routing network along with the defense mechanisms. The whole assessment is in reference to Figure 5.2 topology.

i) TCP Syn Flood Attack

The following code is executed from the Ubuntu system, using hping3 on the command line. The code would simulate a TCP Syn flood behavior, to the web server (IIS), which is set and configured on the Windows XP system. Wireshark on Windows XP is started for analyzing the packets that are sent using the code displayed in Figure 5.5.

Figure 5.5: TCP Syn Flood Attack Script

Code explanation is as follows,

 Sudo starts hping3 with admin privileges.

 –p 80 crafts the TCP segment with the destination port as 80, as a web server (IIS) runs on port 80 in Windows XP.

 –S sets the syn flag in the TCP header. This is for crafting the TCP SYN segment.

 –c 10 sets the count as 10. The crafted TCP SYN segment would be sent ten times to the destination that is 192.168.2.2. This can be specified as per requirement.

 192.168.2.2 Specifies the destination or the target, which is 192.168.2.2, the Windows XP system.

(57)

In Figure 5.6, the first frame (No 89) shows the first TCP SYN segment, which is sent. It can be observed that the SYN bit is set with the source IP address as 192.168.1.2 and destination IP address as 192.168.2.2. The second frame (No 90) corresponds to the TCP SYN/ACK segment which is sent from the IIS server to the TCP SYN segment. This is the second stage of the TCP three way handshake. It can be observed that the goal of the attack is to keep half open connections of TCP, and not complete the three way handshake thus attempting to exhaust the maximum number of TCP connections allowed on the server.

Figure 5.6: Wireshark Analysis on the Victim

Note: The Wireshark capture also shows TCP [RST]. This is not part of the TCP Syn flood attack. This is sent from the Ubuntu system, as there is no valid TCP ACK, which is required to complete the three way handshake.

Defense

Ethical Hacking Using Penetration Testing

LSU Digital Commons

Ethical Hacking Using Penetration Testing

ETHICAL HACKING USING PENETRATION TESTING

ACKNOWLEDGEMENTS

TABLE OF CONTENTS

LIST OF TABLES

LIST OF FIGURES

LIST OF ABBREVIATIONS

ABSTRACT

1. INTRODUCTION

2. PENETRATION TESTING – AN OVERVIEW

3. BORDER GATEWAY PROTOCOL

4. RELATED WORK

5. IMPLEMENTATION